Create a Group Policy or amend an existing Group Policy to allow RDP for all profiles i.e. Domain, Private and Public

Allow Windows Firewall>Allowed apps and features for Domain and Private

Be sure to allow IP address ranges for the Azure region of your subscription. Any IP address-based firewall rules should allow communication between On-prem infrastructure to Azure Datacenter IP Ranges, and ports 443 (HTTPS) and 9443 (data replication). You have to allow these IP ranges in your on-prem firewall for example Cisco ASA and Cloud Firewall such as Azure NSG.

Log on to the VM which will be protected by Azure Site Recovery, Open Command Prompt as an Admin

Type DiskPart then type SAN

It will show SAN Policy : Online All

· If not then type SAN POLICY=ONLINEALL

2. On the on-premises machine before failover, check that the Secure Shell service is set to start automatically on system boot. Check that firewall rules allow an SSH connection3. On the Azure VM after failover, check Boot diagnostics to view a screenshot of the VM if you can’t connect.

Download the vault registration key. You need this when you run Unified Setup. The key is valid for five days after you generate it.

Step8: Run and Configure Site Recovery Unified

Run the Unified Setup installation file.

In Before You Begin, select Install the configuration server and process server then click Next.

In Third Party Software License, click I Accept to download and install MySQL, then click Next.

In Registration, select the registration key you downloaded from the vault.

In Internet Settings, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet. If you have an internet proxy server, provide the proxy details here.

In Prerequisites Check, Setup runs a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.

In MySQL Configuration, create credentials for logging on to the MySQL server instance that is installed.

In Install Location, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of free space.

In Network Selection, specify the listener (network adapter and SSL port) on which the configuration server sends and receives replication data. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment’s requirements. We also open port 443, which is used to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.

In Summary, review the information and click Install. Setup installs the configuration server and registers with it the Azure Site Recovery service.

When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location. The server is displayed on the Settings > Servers pane in the vault.

On your configuration server, launch exe. It is available as a shortcut on the desktop and located in the install location\home\svsystems\bin folder.

Click Manage Accounts > Add Account.

In Account Details, add the account that will be used for automatic discovery.

Step9: Add vCenter Server to Azure Site Recovery Vault

Open the Azure portal and click on All resources.

Click on the Recovery Service vault named ContosoVMVault.

Click Site Recovery > Prepare Infrastructure > Source

Select +vCenter to connect to a vCenter server or vSphere ESXi host.

In Add vCenter, specify a friendly name for the server. Then, specify the IP address or FQDN.

Leave the port set to 443, unless your VMware servers listen for requests on a different port.

Select the account SVC-AzureSR to use for connecting to the server. Click OK.

In RPO threshold, use the default of 60 minutes. This value defines how often recovery points are created. An alert is generated if continuous replication exceeds this limit.

In Recovery point retention, use the default of 24 hours for how long the retention window is for each recovery point. For this tutorial we select 72 hours. Replicated VMs can be recovered to any point in a window.

In App-consistent snapshot frequency, use the default of 60 minutes for the frequency that application-consistent snapshots are created. Click OK to create the policy.

The policy is automatically associated with the configuration server. By default, a matching policy is automatically created for failback.

Step12: Enable replication as follows:

Click Replicate application > Source.

In Source, select the configuration server.

In Machine type, select Virtual Machines.

In vCenter/vSphere Hypervisor, select the vCenter server that manages the vSphere host, or select the host.

Select the process server (configuration server). Then click OK.

In Target, select the subscription and the resource group in which you want to create the failed over VMs. Choose the deployment model that you want to use in Azure (classic or resource management), for the failed over VMs.

Select the Azure storage account you want to use for replicating data.

Select the Azure network and subnet to which Azure VMs will connect, when they’re created after failover.

Select Configure now for selected machines, to apply the network setting to all machines you select for protection. Select Configure later to select the Azure network per machine.

In Virtual Machines > Select virtual machines, click and select each machine you want to replicate. You can only select machines for which replication can be enabled. Then click OK.

In Properties > Configure properties, select the account that will be used by the process server to automatically install the Mobility service on the machine.

Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs.

Step13: Verify VM Properties

In Protected Items, click Replicated Items > VM.

In the Replicated item pane, there’s a summary of VM information, health status, and the latest available recovery points. Click Properties to view more details.

In Compute and Network, you can modify the Azure name, resource group, target size, availability set, and managed disk settings

You can view and modify network settings, including the network/subnet in which the Azure VM will be located after failover, and the IP address that will be assigned to it.

In Disks, you can see information about the operating system and data disks on the VM.

Step14: Disaster Recovery Drill or Testing a DR

In Settings > Replicated Items, click the VM > +Test Failover.

Select a recovery point to use for the failover:

Latest processed : Fails the VM over to the latest recovery point that was processed by Site Recovery. The time stamp is shown. With this option, no time is spent processing data, so it provides a low RTO (recovery time objective).

Latest app-consistent: This option fails over all VMs to the latest app-consistent recovery point. The time stamp is shown.

Custom: Select any recovery point.

In Test Failover, select the target Azure network to which Azure VMs will be connected after failover occurs.

Click OK to begin the failover. You can track progress by clicking on the VM to open its properties. Or you can click the Test Failover job in vault name > Settings > Jobs > Site Recovery jobs.

After the failover finishes, the replica Azure VM appears in the Azure portal > Virtual Machines. Check that the VM is the appropriate size, that it’s connected to the right network, and that it’s running.

You should now be able to connect to the replicated VM in Azure.

To delete Azure VMs created during the test failover, click Cleanup test failover on the recovery plan.

Step15: Understanding and Preparing for failover and failback

Objective 1: Run a failover to Azure

In Settings > Replicated items click the VM > Failover.

In Failover select a Recovery Point to fail over to. You can use one of the following options:

Latest (default): This option first processes all the data sent to Site Recovery. It provides the lowest RPO (Recovery Point Objective) because the Azure VM created after failover has all the data that was replicated to Site Recovery when the failover was triggered.

Latest processed: This option fails over the VM to the latest recovery point processed by Site Recovery. This option provides a low RTO (Recovery Time Objective), because no time is spent processing unprocessed data.

Latest app-consistent: This option fails over the VM to the latest app-consistent recovery point processed by Site Recovery.

Custom: Specify a recovery point.

Select Shut down machine before beginning failover to attempt to do a shutdown of source virtual machines before triggering the failover. Failover continues even if shutdown fails. You can follow the failover progress on the Jobs

If you prepared to connect to the Azure VM, connect to validate it after the failover.

After you verify, Commit the failover. This deletes all the available recovery points.

Don’t Cancel the Task. Seat back, relax, take a coffee break. If you cancel a failover in progress, failover stops, but the VM won’t replicate again.

Objective2: Re-protect Azure VMs

Note: This procedure presumes that the on-premises VM isn’t available and you’re re-protecting to an alternate location.

In Settings > Replicated items, right-click the VM that was failed over and Re-Protect.

In Re-protect, verify that Azure to On-premises, is selected.

Specify the on-premises master target server, and the process server.

In Datastore, select the master target datastore to which you want to recover the disks on-premises. Use this option when the on-premises VM has been deleted, and you need to create new disks. This settings is ignored if the disks already exist, but you do need to specify a value.

In Confirm Failover, verify that the failover direction is from Azure.

Select the recovery point that you want to use for the failover. An app-consistent recovery point occurs before the most recent point in time, and it will cause some data loss. When failover runs, Site Recovery shuts down the Azure VMs, and boots up the on-premises VM. There will be some downtime, so choose an appropriate time.

Right-click the machine, and click Commit. This triggers a job that removes the Azure VMs.

Verify that Azure VMs have been shut down as expected.

Objective4: Re-protect on-premises machines to Azure

Note: Data should now be back on your on-premise site, but it isn’t replicating to Azure. You can start replicating to Azure again as follows:

In the vault > Settings >Replicated Items, select the failed back VMs that have failed back, and click Re-Protect.

Select the process server that is used to send the replicated data to Azure, and click OK.

The evolution of virtualization lead to an evolution of wide range of virtualized technology including the key building block of a data center which is Network. A traditional network used be wired connection of physical switches and devices. A network administrator has nightmare making some configuration changes and possibility of breaking another configuration while doing same changes. Putting together a massive data center would have been expensive venture and lengthy project. Since the virtualization and cloud services on the horizon, anything can be offered as a service and almost anything can virtualised and software defined.

Since development of Microsoft SCVMM and VMware NSX, network function virtualization (NFV), network virtualization (NV) and software defined network (SDN) are making bold statement on-premises based customer and cloud based service provider. Out of all great benefits having a software defined network, two key benefits standout among all which are easy provisioning a network and easy change control of that network. You don’t have to fiddle around physical layer of network and you certainly don’t have to modify virtual host to provision a complete network with few mouse click. How does it work?

Software Defined Networking- Software defined networking (SDN) is a dynamic, manageable, cost-effective, and adaptable, high-bandwidth, agile open architecture. SDN architectures decouple network control and forwarding functions, enabling network control to become directly programmable and the underlying infrastructure to be abstracted from applications and network services. Examples of Cisco software defined networking is here.

The fundamental building block of SDN is:

Programmable: Network control is directly programmable because it is decoupled from forwarding functions.

Centrally managed: Network intelligence is (logically) centralized in software-based SDN controllers that maintain a global view of the network, which appears to applications and policy engines as a single, logical switch.

Open standards-based and vendor-neutral: When implemented through open standards, SDN simplifies network design and operation because instructions are provided by SDN controllers instead of multiple, vendor-specific devices and protocols.

Network Virtualization- A virtualized network is simply partitioning existing physical network and creating multiple logical network. Network virtualization literally tries to create logical segments in an existing network by dividing the network logically at the flow level. End goal is to allow multiple virtual machine in same logical segment or a private portion of network allocated by business. In a physical networking you cannot have same IP address range within same network and manage traffic for two different kind of services and application. But in a virtual world you can have same IP range segregated in logical network. Let’s say two different business/tenant have 10.124.3.x/24 IP address scheme in their internal network. But both business/tenant decided to migrate to Microsoft Azure platform and bring their own IP address scheme (10.124.3.x/24) with them. It is absolutely possible for them to retain their own IP address and migrate to Microsoft Azure. You will not see changes within Azure portal. You even don’t know that another organisation have same internal IP address scheme and possibly hosted in same Hyper-v host. It is programmatically and logically managed by Azure Stack and SCVMM network virtualization technology.

Network Functions Virtualization- Network function virtualization is virtualising layer 4 to layer 7 of OSI model in a software defined network. NFV runs on high-performance x86 platforms, and it enables users to turn up functions on selected tunnels in the network. The end goal is to allow administrator to create a service profile for a VM then create logical workflow within the network (the tunnel) and then build virtual services on that specific logical environment. NFV saves a lot of time on provisioning and managing application level of network. Functions like IDS, firewall and load balancer can be virtualised in Microsoft SCVMM and VMware NSX.

Cisco Services Platform: Accelerate the deployment of new mobile Internet services and tap into network intelligence.

Network Service Virtualization- Network Service Virtualization (NSV) virtualizes a network service, for example, a firewall module or IPS software instance, by dividing the software image so that it may be accessed independently among different applications all from a common hardware base. NSV eliminates cost of acquiring a separate hardware for single purpose instead it uses same hardware to service different purpose every time a network is accessed or service is requested. It also open the door for service provider offer security as a service to various customer.

Network security appliances are now bundled as a set of security functions within one appliance. For example, firewalls were offered on special purpose hardware as were IPS (Intrusion Protection System), Web Filter, Content Filter, VPN (Virtual Private Network), NBAD (Network-Based Anomaly Detection) and other security products. This integration allows for greater software collaboration between security elements, lowers cost of acquisition and streamlines operations.

Cisco virtualized network services available on the Cisco Catalyst 6500 series platform.

Network security virtualization

Virtual firewall contexts also called security contexts

Up to 250 mixed-mode multiple virtual firewalls

Routed firewalls (Layer 3)

Transparent firewalls (Layer 2, or stealth)

Mixed-mode firewalls combination of both Layer 2 and Layer 3 firewalls coexisting on the same physical firewall.

Virtual Route Forwarding (VRF) network services

NetFlow on VRF interfaces

VRF-aware syslog

VRF-aware TACACS

VRF-aware Telnet

Virtualized address management policies using VRF-aware DHCP

VRF-aware TACACS

Optimized traffic redirection using PBR-set VRF

Finally you can have all these in one basket without incurring cost for each component once you have System Center Virtual Machine Manager or Microsoft Azure Stack implemented in on-premises infrastructure or you choose to migrate to Microsoft Azure platform.

Network Virtualization – Network virtualization is a parallel concept to a server virtualization, where it allows you to abstract and run multiple virtual networks on a single physical network

Connects virtual machines to other virtual machines, hosts, or applications running on the same logical network.

Provides an independent migration of virtual machine which means when a VM moved to a different host from original host, SCVMM will automatically migrate that virtual network with the VM so that it remains connected to the rest of the infrastructure.

Allows multiple tenants to have their own isolated networks for security and privacy reason.

Logical networks: A logical network in VMM which contains the information of VLAN, PVLAN and subnets of a site in a Hyper-v host or a Hyper-v clusters. An IP address pool and a VM network can be associated with a logical network. A logical network can connect to another network or many network or vice-versa. Cloud function of each logical network is:

Logical network

Purpose

Tenant Cloud

External

·Site-to-site endpoint IP addresses

·Load balancer virtual IP addresses (VIPs)

·Network address translation (NAT) IP addresses for virtual networks

·Tenant VMs that need direct connectivity to the external network with full inbound access

Yes

Infrastructure

Used for service provider infrastructure, including host management, live migration, failover clustering, and remote storage. It cannot be accessed directly by tenants.

No

Load Balancer

·Uses static IP addresses

·Has outbound access to the external network via the load balancer

·Has inbound access that is restricted to only the ports that are exposed through the VIPs on the load balancer

Yes

Network Virtualization

· This network is automatically used for allocating provider addresses when a VM that is connected to a virtual network is placed onto a host.

·Only the gateway VMs connect to this directly.

· Tenant VMs connect to their own VM network. Each tenant’s VM network is connected to the Network Virtualization logical network.

·A tenant VM will never connect to this directly.

·Static IP addresses are automatically assigned.

Yes

Gateway

Associated with forwarding gateways, which require one logical network per gateway. For each forwarding gateway, a logical network is associated with its respective scale unit and forwarding gateway.

No

Services

· The Services network is used for connectivity between services in the stamp by public-facing Windows Azure Pack features, and for SQL Server and MySQL Database DBaaS deployments.

·All deployments on the Services network are behind the load balancer and accessed through a virtual IP (VIP) on the load balancer.

·This logical network is also designed to provide support for any service provider-owned service and is likely to be used by high-density web servers initially, but potentially many other services over time.

No

IP Address Pool: An IP address pool is a range of IP addresses assigned to a logical network in a site which provides IP address, subnets, gateway, DNS, WINS related information to virtual machines and applications.

Hardware Load Balancer: Hardware load balancer is a functionality within SCVMM networking to provide third party loading balancing of application and services. A virtual IP or IP address Pool can be associated with hardware load balancer.

VIP Templates: VIP templates is a standard template used to define virtual addresses associated with hardware load balancer. VIP is allocated to application, services and virtual machines hosted in SCVMM 2012 R2. A template that specifies the load-balancing behaviour for HTTPS traffic on a specific load balancer by manufacturer and model.

Logical Switch: logical switches act as containers for the properties or capabilities that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify the capabilities in port profiles and logical switches, which you can then apply to the appropriate adapters. Logical switches act as an extension of physical switch with a major difference that you don’t have to drive to data center, take a patch lead and connect to computer, then configure switch ports and assign VLAN tag to that port. Logical switch where you define uplinks or physical adapter of Hyper-v hosts, associate uplinks with logical networks and sites.

Port Profiles: Port profiles act as containers for the security and privacy that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify these capabilities in port profiles, which you can then apply to the appropriate adapters. Port profiles are associated with an uplinks in logical switch.

Port Classification: Port classifications provide global names for identifying different types of virtual network adapter port profiles. A port classification can be used across multiple logical switches while the settings for the port classification remain specific to each logical switch. For example, you might create one port classification named FAST to identify ports that are configured to have more bandwidth, and another port classification named SLOW to identify ports that are configured to have less bandwidth.

Network Service: Network service is container whether you can add Windows and non-Windows network gateway and IP address management and monitoring information. An IP Address Management (IPAM) server that runs on Windows Server 2012 R2 to provide resources in VMM. You can use the IPAM server in network resource tab of SCVMM to configure and monitor logical networks and their associated network sites and IP address pools. You can also use the IPAM server to monitor the usage of VM networks that you have configured or changed in VMM.

Virtual switch extension: A virtual switch extension manager in a SCVMM allows you to use a software based vendor network-management console and the VMM management server together. For example you can install Cisco 1000v extension software in a VMM server and add the functionality of Cisco switches into the VMM console.

VM Network: A VM network in a logical network is the endpoint of network virtualization which directly connect a virtual machine to allow public or private communication among VMs or other network and services. A VM network is associated with a logical network for direct access to other VMs.

The following procedure describe Network Load Balancing functionality in Microsoft SCVMM. Microsoft native NLB is automatically included into SCVMM when you install SCVMM. This procedure describe how to install and configure third party load balancer in SCVMM.

Enter a name and optional description to identify the credentials in VMM.

Enter credentials for the Run As account in the User name and Password text boxes. This is the username and password of virtual load balancer you have download from third party website and deployed in Hyper-v.

On the Credentials page, next to the Run As account box, click Browse, and then click a Run As account you created in step 3, click OK, and then click Next.

On the Host Group page, select the check box next to each host group where the load balancer will be available. By default, any child host groups are also selected.

On the Manufacturer and Model page, specify the load balancer manufacturer and model, and then click Next.

On the Address page, Provide TCP/IP or FQDN and port number of Load Balancer>click Next

On the Logical Network Affinity page, specify the load balancer affinity to logical networks, and then click Next.

On the provide page select provider>Click Test>click next

On the Summary page, confirm the settings, and then click Finish.

Step4: Creating a VIP Template for third party hardware load balancer

You can create two types of load balancer 1. Generic 2. Vendor Specific.

For vendor specific load balancer do the following.

In Virtual Machine Manager (VMM), open the Fabric workspace.

In the Fabric pane, expand Networking, and then click VIP Templates.

On the Home tab, in the Show group, click Fabric Resources.

On the Home tab, in the Create group, click Create VIP Template.

On the Name page, type name, description and port: 443 of the template>click Next

On the Type Page>Select Specific>Select third party Vendor & NLB type> Click Next

On the protocol page> Select either TCP or UDP or both based on your requirement>Click next>Click Next>Click Finish.

For a Generic Load Balancer provider change the step 6 and select Generic then follow the step.

In Virtual Machine Manager (VMM), open the Fabric workspace.

In the Fabric pane, expand Networking, and then click VIP Templates.

On the Home tab, in the Show group, click Fabric Resources.

On the Home tab, in the Create group, click Create VIP Template.

On the Name page, type name, description and port: 443 of the template>click Next

On the Type Page>Select Generic> Click Next

On the protocol page> Select either TCP or UDP or both based on your requirement>Click next>Click Next>Click Finish.

HTTPS pass-through- Traffic directly terminate at virtual machine and is not decrypted at load balancer.

HTTPS terminate – traffic decrypted at load balancer and re-encrypted to virtual machine. This option is best for Exchange OWA and other application. You must log on to load balancer portal then import SSL certificate of OWA and also select re-encrypt option in VIP Template.

Note: The time-out value should be less than the interval value. The interval and time-out values are in seconds.

On the Load Balancing page>Select load balancing method>Click Next

On the Summary page, review the settings, and then click Finish.

Next step to create load balanced web services template and connect to load balancer. On the port profile of service template of the VM you have to select network load balanced then deploy the template into production.